There was no change. That is how it was setup before our emails:
Curious since ipfire should be greatly improved after all the versions.
The other community question concerned the blank IPS logs.
What is necessary is an ipfire test page which answers the real Question:
is the firewall correctly configured and working properly.
Best Regards,
Did you try from green network?
You know⌠I absolutely agree with your thought. I see no documentation that states anything like that.
I just tried with an empty password. And heureka! it works.
Iâll try the Green again. Didnât make a difference at last try. Notice a Forbidden accessing the cache.
Kenneth,
What network are you on when you are trying to access the menu?
If you can, you donât have to, but is it possible to paste me back the squid.conf file contents?
I am driving to help you get through this and there may be something I missed in asking to look for.
Eric
[root@ipfire proxy]# cat squid.conf
shutdown_lifetime 5 seconds
icp_port 0
http_port 192.168.5.2:800
http_port 192.168.5.2:3128 intercept
http_port 192.168.2.2:800
http_port 192.168.2.2:3128 intercept
cache_effective_user squid
umask 022
pid_filename /var/run/squid.pid
cache_mem 750 MB
error_directory /usr/lib/squid/errors/en
digest_generation off
acl SSL_ports port 443 # https
acl SSL_ports port 4000 # IBKR
acl SSL_ports port 4001 # IBKR
acl SSL_ports port 7496 # IBKR API
acl SSL_ports port 563 # snews
acl SSL_ports port 9050 # VPN
acl Safe_ports port 80 # http
acl Safe_ports port 81 # squid
acl Safe_ports port 444 # web interface
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 800 # Squids port (for icons)
acl Safe_ports port 465 # Cotse Mail
acl Safe_ports port 995 # Cotse Mail
acl Safe_ports port 3128 # Squid port
acl Safe_ports port 3310 # Clamav
acl Safe_ports port 9050 # VPN
acl Safe_ports port 7496 # IBKR API
acl Safe_ports port 4000 # IBKR
acl Safe_ports port 4001 # IBKR
acl Safe_ports port 1194 # VPN
acl Safe_ports port 443 # https
acl Safe_ports port 563 # snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl IPFire_http port 81
acl IPFire_https port 444
acl IPFire_ips dst 192.168.5.2
acl IPFire_networks src â/var/ipfire/proxy/advanced/acls/src_subnets.aclâ
acl IPFire_servers dst â/var/ipfire/proxy/advanced/acls/src_subnets.aclâ
acl IPFire_green_network src 192.168.5.0/24
acl IPFire_green_servers dst 192.168.5.0/24
acl IPFire_blue_network src 192.168.2.0/24
acl IPFire_blue_servers dst 192.168.2.0/24
acl IPFire_banned_ips src â/var/ipfire/proxy/advanced/acls/src_banned_ip.aclâ
acl IPFire_unrestricted_ips src â/var/ipfire/proxy/advanced/acls/src_unrestricted_ip.aclâ
acl CONNECT method CONNECT
maximum_object_size 4096 KB
minimum_object_size 0 KB
cache_dir aufs /var/log/cache 1500 16 256
request_body_max_size 0 KB
access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
strip_query_terms off
log_mime_hdrs off
forwarded_for off
via off
authenticate_ip_ttl 0
acl within_timeframe time MTWHFAS 00:15-23:45
#Settings for squidclamav:
http_port 127.0.0.1:800
acl purge method PURGE
http_access deny to_localhost
http_access allow localhost
http_access allow purge localhost
http_access deny purge
url_rewrite_access deny localhost
#Access to squid:
#local machine, no restriction
http_access allow localhost
#GUI admin if local machine connects
http_access allow IPFire_ips IPFire_networks IPFire_http
http_access allow CONNECT IPFire_ips IPFire_networks IPFire_https
#Deny not web services
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#Set custom configured ACLs
http_access deny IPFire_banned_ips
http_access allow IPFire_unrestricted_ips
http_access allow IPFire_networks within_timeframe
http_access deny all
#Strip HTTP Header
request_header_access X-Forwarded-For deny all
reply_header_access X-Forwarded-For deny all
request_header_access Via deny all
reply_header_access Via deny all
httpd_suppress_version_string on
visible_hostname ipfire
cache_mgr yellow@perform.cotse.net
cachemgr_passwd Hawaii all
max_filedescriptors 16384
url_rewrite_program /usr/sbin/redirect_wrapper
url_rewrite_children 4 startup=4 idle=4 queue-size=128
[root@ipfire proxy]#
Apparently the problem is Port 81. That should be port 800. Is that the correct assessment? How did Port 81 enter into the configuration. Or how to change it?
I will screenshot my config and paste it for a comparison. Give me a short bit.
Kenneth,
Sorry about the delay. I have been crazy busy with work. Here is a full squid.conf file from my working web proxy.
shutdown_lifetime 5 seconds
icp_port 0
http_port 172.x.x.1:801
http_port 172.x.x.1:3129 intercept
acl no_cache_hosts url_regex -i â/var/ipfire/proxy/advanced/acls/dst_nocache_url .aclâ
cache deny no_cache_hosts
cache_effective_user squid
umask 022
pid_filename /var/run/squid.pid
cache_mem 750 MB
error_directory /usr/lib/squid/errors/en
digest_generation off
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 563 # snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 801 # Squids port (for icons)
acl IPFire_http port 81
acl IPFire_https port 444
acl IPFire_ips dst 172.x.x.1
acl IPFire_networks src "/var/ipfire/proxy/advanced/acls/src_subnets.acl "
acl IPFire_servers dst "/var/ipfire/proxy/advanced/acls/src_subnets.acl "
acl IPFire_green_network src 172.x.x.0/24
acl IPFire_green_servers dst 172.x.x.0/24
acl CONNECT method CONNECT
maximum_object_size 4096 KB
minimum_object_size 0 KB
cache_dir aufs /var/log/cache 1500 16 256
request_body_max_size 0 KB
access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none
access_log stdio:/var/log/squid/user_agent.log useragent
strip_query_terms off
log_mime_hdrs off
forwarded_for off
via off
authenticate_ip_ttl 0
acl within_timeframe time MTWHFAS 00:00-24:00
#Start of custom includes
#End of custom includes
#Settings for squidclamav:
http_port 127.0.0.1:801
acl purge method PURGE
http_access deny to_localhost
http_access allow localhost
http_access allow purge localhost
http_access deny purge
url_rewrite_access deny localhost
#Access to squid:
#local machine, no restriction
http_access allow localhost
#GUI admin if local machine connects
http_access allow IPFire_ips IPFire_networks IPFire_http
http_access allow CONNECT IPFire_ips IPFire_networks IPFire_https
#Deny not web services
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#Set custom configured ACLs
http_access allow IPFire_networks within_timeframe
http_access deny all
#Strip HTTP Header
request_header_access X-Forwarded-For deny all
reply_header_access X-Forwarded-For deny all
request_header_access Via deny all
reply_header_access Via deny all
visible_hostname ipfire.localdomain
cache_mgr pickyouremail@domain.com
Note here⌠I do not have a password set for the cache manager otherwise there would be a parameter for it.
max_filedescriptors 16384
url_rewrite_program /usr/sbin/redirect_wrapper
url_rewrite_children 3 startup=3 idle=3 queue-size=96
----------------------------------------------------------------------------------------------------------------------------------
Notes that I extracted from above Config File from here Down.
/var/ipfire/proxy/advanced/acls/src_subnets.acl
**** You should see all zones in your firewall in here x.x.x.0/24. You should have an allow entry for each zone, Blue, Green, Pink⌠if you use it lol
**** I just advise checking it to make sure its there.
These entries, I believe you already had, along with your other zones.
acl IPFire_green_network src x.x.x.0/24
acl IPFire_green_servers dst x.x.x.0/24
#Access to squid:
#local machine, no restriction
http_access allow localhost
****This allows its self to commuicate with itself.
Check your ports_safe.acl
[root@ipfire squid]# cd /var/ipfire/proxy/advanced/acls/
[root@ipfire acls]# cat ports_safe.acl
80 # http
21 # ftp
443 # https
563 # snews
70 # gopher
210 # wais
1025-65535 # unregistered ports
280 # http-mgmt
488 # gss-http
591 # filemaker
777 # multiling http
801 # Squids port (for icons)
****Make sure the above list matches, and also check your Squids port. Mine is 801, yours I think is different.
Also,
This is where you change that port.
then
Click Save and Restart which will bounce your squid proxy service.
Eric,
Thatâs swell. Really Appreciated. Drive SAFE.
Ken
The port81 line has nothing to do with the cache manager. It is handled by apache and used for the block pages, update acclereator and webgui. It also should redirect to the webgui (https 444) if you try to get without an url.
Eric,
thx for your config file.
Most interesting fact is, you donât use a password!
Maybe, this is just the problem.
Thanks Arne, that reply was very helpful.
A little bit of thought saves a lot of work.
Bernhard,
I am not sure what your talking about here in this thread. LOLâŚ
I am not the one with the Web Proxy issue, but rather Kenneth whom I am trying to advise. The Web Proxy actually works in my install, although it was a bear to set up initially.
Kenneth, you could pick any port, in theory that isnât a standard used port, and its OK. 444 is the port Used to Connect to Squid Cache Manager Web GUI and 801 is the port of connection into the actual Cache server.
This means you could technically have several âCache Serversâ running on different ports, or even the same port on different IP addresses, depending on the amount of HTTP Traffic flowing through your network. 1 : ~ relationship
Notice the down arrow to the right of the IP:801 in my screenshot. It is a selection box so you can manage whatever and whichever âCache Serverâ your data is on.
Another side note, not only does a person manage the cache from port 801, but 801 and 3129, are the 2 ports used to pass traffic through the Proxy. 1 is the inbound, the other, the outbound⌠Look back in my squid config for the word intercept.
Lets just say that I work on a lot of stuff in my field and might have a tid-bit of experience with this sorta thing. In application to Squid, ehhh, its ok, but its a basic concept with inbound and outbound caching of bits and pieces of traffic over HTTP. Its a heck of a bandwidth saver if you can get it up and running.
Another note⌠make sure this is turned on. Nothing worse than not being notified in logs if something gets blocked.
Both of these ports are configurable from the prospective of the GUI, down in the picture below.
Eric
Kenneth,
I found your problem, because I was just literally able to replicate your problem on my production IPFire. Figured it was Off-Peak hours so I could toy with it slightly.
Lets do show and tell hereâŚ
Here is what I was able to force to happen, on my working system.
Quick test to see login passwords⌠See notes in green on pictureâŚ
I added a password after testing to the passwords box on the IPFire Web Proxy screen⌠This is where I figured out what I believe to be your problem, based on testing and reading back through your posts.
What did I do to cause this? I added a password to this box.
I clicked âSave and Restartâ button on the same page to recycle squid services and re-read config.
After doing so, I closed my browser tabs, went back to the cachemanager login page, and tried logging in with crap passwords again, and it blocked me.
Each time I changed the password, I run:
cat squid.conf to see if the password was updating. Sure wasâŚ
Go check out your GUI and your squid.conf and look for your password:
cachemgr_passwd Hawaii all
I took it a little further in testing⌠Toying more, and found exactly your problem⌠Now I am pretty damn sure I hit the bullseyeâŚ
the URI rotate, and every other URI path under the cache manager started failing
cache_object://x,x,x.1/via_headers for exampleâŚ
andâŚdrumroll please⌠The problem isâŚ
There is a password in the Web Proxy field, just below the email you entered. Delete that password, Click âSave and Restartâ, then empty your cache, close your browser, open it back up and try it again. Almost positive it will work!
I told you in the beginning that I had seen this happen to me in the past and it took me this long to figure it back out, because I just couldnât remember. There is something jacked up in the squid proxy code that if you have a password in there, it will allow you to the cache manager menu but will choke on all of its URI paths.
Give that a shot and see what happens!
Eric
Hi Kenneth,
I see your picture, but I canât determine if what I posted actually helped resolve your ability to click and load any of the links in that cache manager menu.
Can you click through, and actually get the pages to load, without getting the red screen of death (which complain about authenticating), for each of the links in that menu?
Please confirm.
Thx
Eric
